Discussion:
OpenSSH Setup under Windows XP
Raven Lee
23 years ago
Permalink
I was very impressed by the work done on the setup guide for Windows NT and
Windows 2000.
I just have a few points.

1. You should have hyperlinks to all files you mentioned for download so we
can simply click and download.
2. Do you have an updated guide for setting up OpenSSH on Windows XP? Or can
the instructions be followed and work with XP also?
3. OpenSSH for Windows is a very straightforward installation of only the
files needed for running SSH. However, setup is still kind of difficult for
a newbie like me.
Do you have any plans on coming up with a guide for that particular
install?

Thanks. I'm very excited at the thought of running ssh for the first time.
Any help would be appreciated.


[ Ravendon Team Brushfire


The box said Windows 95 or
better, so I got a Mac.
Greg Sidelinger
23 years ago
Permalink
The steps worked just fine for setting up SSHD on XP for me. I did it
with an order version of Cygwin and OpenSSH. There is a newer version
of OpenSSH in Cygwin now so I not sure if it will work but I don't see
why not. I did see something on the list about adding an /tmp/empty dir
to make it work with a feature that is turned on by default now but I
can't recall what it is called.


-----Original Message-----
From: ssh-l-***@erdelynet.com [mailto:ssh-l-***@erdelynet.com] On
Behalf Of Raven Lee
Sent: Saturday, July 20, 2002 3:47 AM
To: ssh-***@erdelynet.com
Subject: OpenSSH Setup under Windows XP

I was very impressed by the work done on the setup guide for Windows NT
and Windows 2000.
I just have a few points.

1. You should have hyperlinks to all files you mentioned for download so
we can simply click and download.
2. Do you have an updated guide for setting up OpenSSH on Windows XP? Or
can the instructions be followed and work with XP also?
3. OpenSSH for Windows is a very straightforward installation of only
the files needed for running SSH. However, setup is still kind of
difficult for a newbie like me.
Do you have any plans on coming up with a guide for that particular
install?

Thanks. I'm very excited at the thought of running ssh for the first
time. Any help would be appreciated.


* Ravendon
Team Brushfire

The box said Windows 95 or
better, so I got a Mac.
Stephen Nordlund
23 years ago
Permalink
the new version of OpenSSH supports privilege
Separation. There is an expanation in the
documentation of Cygwin I think the readme is called
privesep.readme

I have had issues setting up privsep so I just turned
it off in the sshd_config file. Yes, Greg is correct
it is a new feature that requires a /var/empty dir
with proper permissions set. again everything is
detailed in the above read me. When you run the
ssh_config prog. It will hightlight the exact location
for the readme doc.

Regards,
Stephen Nordlund
...
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives: http://archive.erdelynet.com/ssh-l/
Stephen Nordlund
23 years ago
Permalink
Hi everyone:

I'm having a problem getting privsep to work properly.
Here is what I have done so far:

. ~/fixperms.sh #from
ftp://ftp.erdelynet.com/mike/cygwin/

ssh-host-config -y

chown -R 544:544 /var
chown 18:18 /var/log/sshd.log
chown 544:544 /etc/ssh*
chown 544:544 /etc/ssh_host*_key

[***@babylon5]/usr/sbin:{24}:$ sshd -dd
debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
Bad owner or mode for /var/empty

#changed the /var/empty owner per this doc:
README.privsep

chown 544:18 /var/empty
chmod 755 /var/empty

[***@babylon5]/usr/sbin:{26}:$ ls -l /var
total 0
drwxr-xr-x 2 Administ SYSTEM 0 Jul 24
20:55 empty
drwxr-xr-x 2 Administ Administ 0 Jul 24
20:55 log
drwxr-xr-x 2 Administ Administ 0 Jul 24
20:34 run
drwxr-xr-x 2 Administ Administ 0 Jul 24
20:34 tmp

[***@babylon5]/usr/sbin:{28}:$ sshd -dd
debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
Bad owner or mode for /var/empty

Currently my only option is to turn off:
UsePrivilegeSeparation option in sshd_config. I would
really like to get this going so I can play with it.
Any suggestions are welcome.

Part of the README side to do the following commands,
but I have a couple of issues with them.

# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s
/bin/false sshd

1.) Cygwin does not have these commands.
2.) in Windows 2000 AD you had not have a group and a
user with the same name.

If I modify the sshd_config:
#UseLogin no
UsePrivilegeSeparation no
#Compression yes

and run sshd I get this

[***@babylon5]/usr/sbin:{35}:$ sshd -dd
debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.

everything looks good


Regards,
Stephen Nordlund


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives: http://archive.erdelynet.com/ssh-l/
Van Sickler, Jim
23 years ago
Permalink
Stephen,

On one PC, mine is:

/etc/passwd:
sshd:*:27:18::0:0:/var/empty:/bin/false

/etc/group:
sshd:*:27:

On another PC, mine is:

/etc/passwd:
sshd:*:27:27::0:0:/var/empty:/bin/false

/etc/group:
sshd:*:27:

On both PCs:
/var/empty is 755, owned by system.system
I have no local (Win2k) user account for sshd
/etc/ssh contains:
ssh_config
sshd_config
ssh_host_dsa_key
ssh_host_rsa_key

ssh/sshd work fine on both.

On a side note:

I downloaded and installed the joe editor,
http://familiehaase.de/cywgin/joe/
and use it in my cygwin shell sessions.

It's a very friendly text editor, and
works great - unlike nano, which is
unusable for files containing lines that exceed
the shell window. joe doesn't have that problem.

Jim
...
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives: http://archive.erdelynet.com/ssh-l/
Stephen Nordlund
23 years ago
Permalink
you can't be using cygwin in windows. the password and group file would look like this:

/etc/group
Administrators:S-1-5-32-544:544:

/etc/passwd
sshd:unused_by_nt/2000/xp:1133:513:sshd
privsep,U-SOLMANIA\sshd,S-1-5-21-682003330-1614895754-1606980848-1133:/var/empty:/bin/false


notice the windows SID...
I'm finding I can't create the SSHD group and user at the same time.

Maybe I'm seeing something wrong.

Here is the contents of my /etc folder:
[***@babylon5]/usr/sbin:{41}:$ ls -l /etc
total 117
drwxr-xr-x 2 Administ Administ 0 Jul 24 20:34 cron.d
-rw-r--r-- 1 Administ Administ 1271 Jul 24 20:41 group
-rw-r--r-- 1 Administ Administ 88039 Jun 21 16:28 moduli
-rw-r--r-- 1 Administ Administ 1657 Jul 24 20:55 passwd
drwxr-xr-x 2 Administ Administ 0 Jul 24 20:41 postinstall
-rw-r--r-- 1 Administ Administ 1703 Feb 12 09:46 profile
-rw-r--r-- 1 Administ Administ 386 Jul 24 20:41 profile.bak
drwxr-xr-x 2 Administ Administ 0 Jul 24 20:35 profile.d
drwxr-xr-x 2 Administ Administ 0 Jul 24 20:36 setup
-rw-r--r-- 1 Administ Administ 1049 Jul 24 20:55 ssh_config
-rw------- 1 Administ Administ 668 Jul 24 20:55 ssh_host_dsa_key
-rw-r--r-- 1 Administ Administ 612 Jul 24 20:55 ssh_host_dsa_key.pub
-rw------- 1 Administ Administ 537 Jul 24 20:55 ssh_host_key
-rw-r--r-- 1 Administ Administ 341 Jul 24 20:55 ssh_host_key.pub
-rw------- 1 Administ Administ 887 Jul 24 20:55 ssh_host_rsa_key
-rw-r--r-- 1 Administ Administ 232 Jul 24 20:55 ssh_host_rsa_key.pub
-rw-r--r-- 1 Administ Administ 2118 Jul 25 18:11 sshd_config
-rw-r--r-- 1 Administ Administ 12306 Apr 3 10:11 termcap

I also changed the owner of the /var/empty folder to:
drwxr-xr-x 2 SYSTEM SYSTEM 0 Jul 24 20:55 empty

and it still does not work..
...
=====
Regards,
Stephen Nordlund, MCP.
Systems Engineer

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives: http://archive.erdelynet.com/ssh-l/
Van Sickler, Jim
23 years ago
Permalink
There are a thousand ways to make it work, and
a million ways to make it not work....

I've stumbled onto one of the thousand, and
run into a few hundred of the million ;-)

It works, take my word for it.

I have two NT servers and two Win2k workstations
running cygwin with pretty much the identical
setup. sshd is running as a service via srvany.exe
on the servers and 1 wkstn; I got cygrunsrv to work
on the last install.
Post by Greg Sidelinger
-----Original Message-----
Sent: Thursday, July 25, 2002 3:22 PM
Subject: RE: privsep???
you can't be using cygwin in windows. the password and group
(look at my passwd/group info below; it is extracted from
two machines that are both working as you read this. I
didn't paste the rest of my passwd/group, as they don't apply
to the sshd issue. I only included the sshd-specific info)
Post by Greg Sidelinger
/etc/group
/etc/passwd
sshd:unused_by_nt/2000/xp:1133:513:sshd
privsep,U-SOLMANIA\sshd,S-1-5-21-682003330-1614895754-16069808
48-1133:/var/empty:/bin/false
notice the windows SID...
I'm finding I can't create the SSHD group and user at the same time.
You can't have a User and Group with the same name in NT. *nix
will let you.

I have a Domain user named sshd, but no Domain Group named sshd.
I'll bet if I deleted the Domain User sshd, it would still work
in cygwin. I haven't tried it yet, but I will if I get some spare
time to tinker.
Post by Greg Sidelinger
Maybe I'm seeing something wrong.
Notice that the sshd user entry in /etc/passwd has an
arbitrary UID - it doesn't match the SID, but is the same
as the OpenBSD UID for the sshd privsep user.

The GID is either 18 (system) or 27 (cygwin group sshd)
...
sshd's home dir is owned by system.system (18:18),
but you've got 513 (Everyone/nobody) as sshd's GID.
Change it to 18 or 27, and see if it works then.
Post by Greg Sidelinger
Post by Van Sickler, Jim
Stephen,
sshd:*:27:18::0:0:/var/empty:/bin/false
UID 27 doesn't match the NT SID, and it doesn't have to...
GID 18 is system

ssh'ing into this PC results in:

$ ps -aelf
UID PID PPID TTY STIME COMMAND
system 429 1 0 Jul 15 /usr/sbin/sshd
system 424 429 0 17:04:04 /usr/sbin/sshd
vansickj 404 424 1 17:04:17 /usr/bin/bash
vansickj 216 404 1 17:13:05 /usr/bin/ps
Post by Greg Sidelinger
Post by Van Sickler, Jim
sshd:*:27:27::0:0:/var/empty:/bin/false
ssh localhost results in two system-spawned sshd pid's
(no sshd-user/group spawned sshd pid's) as well:

$ ps -aelf
UID PID PPID TTY STIME COMMAND
system 932 1 0 10:25:52 /usr/sbin/sshd
vansickj 296 1 1 17:06:03 /usr/bin/rxvt
vansickj 1096 296 2 17:06:04 /usr/bin/bash
vansickj 1752 1096 2 17:06:09 /usr/bin/ssh
system 1860 932 0 17:06:11 /usr/sbin/sshd
vansickj 1488 1860 3 17:06:14 /usr/bin/bash
vansickj 1940 1488 3 17:06:35 /usr/bin/ps
...
http://tech.erdelynet.com/mailman/listinfo/ssh-l/
Post by Greg Sidelinger
Post by Van Sickler, Jim
List Archives: http://archive.erdelynet.com/ssh-l/
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives: http://archive.erdelynet.com/ssh-l/
=====
Regards,
Stephen Nordlund, MCP.
Systems Engineer

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives: http://archive.erdelynet.com/ssh-l/
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives: http://archive.erdelynet.com/ssh-l/
Stephen Nordlund
23 years ago
Permalink
... I guess you missed what I meant. I meant, if you were to look at the password file yours does
not tie in with the SID. but mine is. If you go to windows and try to make a user and group with
the same name it will give you an error saying dont do that.. Then when you make the password file
via. mkpasswd or make the group file via mkgroup it pulls the SID to the password file.
...
=====
Regards,
Stephen Nordlund, MCP.
Systems Engineer

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives: http://archive.erdelynet.com/ssh-l/
Van Sickler, Jim
23 years ago
Permalink
Post by Greg Sidelinger
-----Original Message-----
Sent: Thursday, July 25, 2002 6:14 PM
Subject: RE: privsep???
... I guess you missed what I meant. I meant, if you were to
look at the password file yours does
not tie in with the SID. but mine is.
I realize that. If I were to use the SID assigned by NT, it
stops working. I'm using the *nix UID:GID that works on my
OpenBSD ssh installation; it also happens to work on NT/Win2k.
I think cygwin is more *nix than Win32, in that it accommodates
some of the NT constraints. But it's still *nix at the core.
Post by Greg Sidelinger
If you go to windows and try to make a user and group with
the same name it will give you an error saying dont do that..
As it should.
Post by Greg Sidelinger
Then when you make the password file
via. mkpasswd or make the group file via mkgroup it pulls
the SID to the password file.
The contents of the passwd/group files aren't absolute.
Run mkpasswd if you have a lot of accounts to pull in.
The UID:GID mkpasswd pulls in isn't absolute,
or even appropriate for many accounts. The Domain Users
GID of 10513 has to be changed to 513. If you're a member
of the Domain Admins, 10544 has to be changed to 544 to
work as GID for the cygwin Administrators group.

Look at Mike's how-to's for setting ssh up; he changes
Administrator:Administrators to admin:admins, with a
home dir of /home/admin. Edit them to fit your needs,
but make sure that cygwin's dir's/security match what
you're trying to do. (e.g. If your account name is
admin, /home/admin won't work as your home
dir unless /home/admin exists, with the proper rights)

The bottom line is this: cygwin is a *nix environment
that runs under Win32. The (cygwin) *nix configuration
parameters have to be attended to first, and the NT/Win2k
information can be massaged to meet those parameters.
Unless/until you do that, ssh/sshd won't work.

Jim
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives: http://archive.erdelynet.com/ssh-l/

Continue reading on narkive:
Loading...